Patching is too important to be neglected
Patching is too important to be neglected

Discussing the pros and cons of radio frequency identification (RFID), the technology that allows interaction between small chips and nearby readers without physical contact, is a surefire way to get a good argument going.

It's certainly a useful technology. My car key includes an RFID security token that switches off the immobiliser as soon as I'm in the seat. Even my cat has an RFID chip that not only makes it easy to locate his rightful home should he wander too far, but also allows the vet to take his temperature in a far more dignified fashion than before.

RFID is also becoming ubiquitous in security passes, with further enhancements such as automatic logoff when out of range of your PC. One of the key benefits of implementations using this technology is that it generally doesn't require the user to do anything.

Of course there are downsides to RFID, and privacy advocates are, not unfairly, concerned about the creeping spread of RFID devices containing personal information. Although nominally accessible only from short distances (10cm or so), as the increasing distance of wireless hacks has shown, the range of a radio device is limited only by the size of the antenna and resourcefulness of the attacker. There are already prototype designs with ten times the current range, and that's just the start.

Perhaps the RFID privacy issue most likely to affect the public is the addition of RFID chips to passports. Both the UK and US are currently planning this, and there is a shortage of good information on the security precautions. While there is certainly an advantage in having electronic data embedded into a passport, it needs to be handled carefully.

Allowing the data to be read remotely using RFID rather than, for example, a smartcard, gives a small advantage in usability at the cost of a major increase in the threat of unauthorised access. Worse still, if the chip contains all the data held in printed form, the possibility of remotely "skimming" passports arises. Credit card companies learned the hard way that you need some data that isn't held electronically on the card, which is why the now ubiquitous CVV number on the signature strip was introduced.

RFID is not in itself a security risk, indeed many of its current applications increase security. Like any technology, its benefits should be balanced against the risks it introduces. For car keys and cats there are clear advantages, but for electronic passports, old-fashioned smartcards would be a more prudent choice.